AWS Partner Network (APN) Blog

Simplify Activity Tracking with TCS Cloud Exponence and AWS CloudTrail Lake

By Sumitha Rao, AWS Architect – TCS
By Kishore Vinjam, Principal Solutions Architect – AWS
By Gaurav Arora, Principal Solutions Architect – AWS

TCS-AWS-Partners-2023
TCS
Connect with TCS-1

Customers want an easier way to gather operational insights across their environments, including monitoring who has made changes to resources and when. However, this can result in a large amount of data produced from audit activities from multiple Amazon Web Services (AWS) accounts and teams. Finding and investigating unauthorized changes or breaches becomes complex.

As they grow, organizations need to simplify their workloads in the cloud, not overcomplicate them. To streamline the process, it’s crucial to centralize audit events and metrics in one place for a unified view and improved analysis capabilities.

Tata Consulting Services (TCS) developed a cloud management and orchestration platform, TCS Cloud Exponence, that provides resource maintenance, patching, perimeter monitoring, vulnerability protection, observability, and compliance auditing. TCS leveraged AWS CloudTrail Lake to support the monitoring and compliance auditing capabilities.

This solution allows customers to aggregate, immutably store, and query events from multiple AWS accounts and AWS regions.

In this post, you will learn how TCS is using AWS CloudTrail Lake to provide additional operational insights to TCS Cloud Exponence customers. You’ll also, learn how to use the sample queries that are available in the console to query these insights.

An IT services, consulting, and business solutions organization, TCS is an AWS Premier Tier Services Partner and Managed Service Provider (MSP) that has been partnering with many of the world’s largest businesses in their transformation journeys for the last 50 years.

Common Operational Insights Queries

AWS continuously collaborates with AWS Partners and customers to build the queries that derive most frequently-sought operational insights. These queries are evaluated and made available as sample queries in the AWS CloudTrail console.

Among many operational insights that TCS Cloud Exponence provides, a few common examples are listed below:

  • Identify who introduced changes to which containers in customers’ Amazon Elastic Container Service (Amazon ECS) environments.
  • Track any changes made from the AWS Management Console to ensure all changes went through an approval process.
  • Investigate AWS Lambda function URL invocations for security purposes like denial of service (DoS) attacks and to chargeback the business based on their consumption.

Next, we explain how to access and execute these queries from the AWS CloudTrail console.

Prerequisites

  • Enable AWS CloudTrail Lake. Refer to the documentation for setup details.
  • Provision the infrastructure like Amazon ECS clusters and AWS Lambda functions that the sample queries will use.
  • Use Amazon ECS Exec to run commands directly interact with containers.

Investigate Changes to Amazon ECS Containers

Amazon ECS Exec allows you to directly interact with containers without needing to first interact with a host container operating system, open inbound ports, or manage Secure Shell (SSH) keys. While you can access the containers securely using Amazon ECS for containers running on Amazon Elastic Compute Cloud (Amazon EC2) instances or AWS Fargate, it can be risky to change running containers. Therefore, you may want to keep track of all these changes.

With ECS and CloudTrail integration, commands executed through Amazon ECS Exec are logged in AWS CloudTrail Lake from AWS accounts across the organization. You can use the CloudTrail Lake sample query shown below to identify (for example) who logged in and what commands were executed using Amazon ECS Exec.

Follow these steps to execute a sample query:

  • Navigate to the AWS CloudTrail console, select Lake and Query from the left side panel.
  • Choose the Sample queries tab.
  • Under Sample queries, type in ECS Commands.
  • Click on the Query SQL for the query named Investigate who ran ECS commands.
  • Update the eventTime as needed.
  • Choose Run.

TCS-Activity-Tracking-CloudTrail-1

Figure 1 – Sample query from the CloudTrail console.

As shown next in Figure 2, the command output provides details of who executed what command in the cluster, along with execution time and container details.

TCS-Activity-Tracking-CloudTrail-2

Figure 2 – List of commands executed using Amazon ECS Exec.

Track Changes Made in the AWS Console

TCS Cloud Exponence customers want any resource creation or change to go through an approval process. Hence, changes through the AWS console are discouraged, but they can’t be avoided completely, especially when multiple people are involved in managing the resources.

Prior to AWS CloudTrail Lake, in order to keep track of changes made by users from the AWS console, customers needed a solution that uses CloudTrail logs, Amazon Simple Storage Service (Amazon S3), and Amazon Athena. This creates additional resources that must be managed.

With AWS CloudTrail Lake, you can query information directly from the central data store with a standard SQL-based query, without additional resources.

To find users with write permission who made changes using the console in the past week, follow these steps:

  • Navigate to the AWS CloudTrail console, select Lake and Query from the left side panel.
  • Choose the Sample queries tab.
  • Under Sample queries, type in who made console changes.
  • Click on the Query SQL for the query named Investigate who ran ECS commands.
  • Update the eventTime as needed.
  • Choose Run.

TCS-Activity-Tracking-CloudTrail-3

Figure 3 – List of changes performed from AWS console.

Investigate Number of Lambda Function Invocations

TCS leverages an AWS Lambda function URL with AWS Identity and Access Management (IAM)-based authentication to make Lambda functions available to development teams and operational groups. This is needed to keep track of Lambda’s usage for security and chargeback reasons.

Follow the steps below to create a custom query to collect the Lambda function invocation details and group it with the IAM user identity that invoked the function:

  1. Navigate to the AWS CloudTrail console, select Lake and Query from the left side panel.
  2. On the Query page, open a new query editor by choosing +.
  3. Under the Query1 tab, copy and paste the SQL query in the following table.
  4. Update the EDS_ID, functionName, and eventTime as required.
  5. Choose Run.
Select
    count(*) as totalrequests, userIdentity.arn as invoker
from
    $EDS_ID
where
    eventName =’Invoke’
    and element_at(requestParameters,’functionName’)=’arn:aws:lambda:us-east-1:123456789012:function:ctl-query-demo-lambda’
    and errorCode is null
    and eventTime > ‘2023-01-08 19:30:00’
    group by userIdentity.arn

The command output tab will show the total number of requests made by each user.

TCS-Activity-Tracking-CloudTrail-4

Figure 4 – Count of a Lambda function invocations.

You can save this query and collect updated insights easily in the future.

Additionally, you can schedule future queries to execute automatically and export the signed query results to the Amazon S3 bucket of your choice.

Conclusion

In this post, you learned how TCS is using AWS CloudTrail Lake to provide enhanced operational insights for TCS Cloud Exponence customers.

Several of these queries are built by TCS and AWS and are now available in the AWS console.

AWS teams are excited to work with you to build additional use cases that may benefit all AWS customers. If you’d like to contribute to this growing list of sample queries, please reach out to your AWS representative.

.
TCS-APN-Blog-Connect-2022
.

TCS – AWS Partner Spotlight

TCS is an AWS Premier Tier Services Partner and MSP that has been partnering with many of the world’s largest businesses in their transformation journeys for the last 50 years.

Contact TCS | Partner Overview | Case Studies